Actually FTP clients can connect to FTP servers directly and can transmit and receive files or data directly through direct sockets connections, but in some cases security to FTP clients is needed and most of the internet clients access the internet from LAN network that is connected to the internet through Firewalls that support NAT (Network Address Translation) or full LAN isolation through proxy server.

Background

FTP servers is listening for clients requests on port 21, so any client wants to deal with any server will just connect to the server and send it identification data to authenticate itself then ask for its request, all that in a TCP connection as in figure 1.

The connection is kept opened between the server and client to exchange FTP commands between them. If the client wants to get data, it can use two ways to request it:

The Client specifies a non-default client side data port with the PORT command.

client: PORT h1,h2,h3,h4,p1,p2
server: 200 Command okay.
// where h1 is the high order 8 bits of the internet host address.

Then the server sends any data through connecting to this host address and send data, then close the connection.

The Client requests the server side to identify a non-default server side data port with the PASV command.

client: PASV
server: 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2).
// where h1 is the high order 8 bits of the internet host address.

Then the client connects this host address and receives its reply for data request at this channel, then the server closes the connection.

Proxy Server role between FTP client and FTP Server

User connect/authentication

First, I will describe user connect/authentication process and how various proxies implement requests differently. When FTP client connects to the FTP servers, it just resolves the FTP server address and connects to port 21 (default FTP port) and the FTP server responses with a welcome message, telling the FTP client that it is ready to receive user authentication information, but what is the case with proxy server? How can the FTP client tell the proxy server, the address of the FTP server that it wants to connect? The answer is, it can be done by various ways, as you can see from the following figure, that is taken from the firewall settings of the CuteFTP client:

As you can see, the client sends authentication information first to the proxy which keeps it tell, it receives the FTP server name at the SITE command (e.g. site ftp.cuteftp.com), then the proxy connects the FTP server and resends the login information to the FTP server.

As you can see, the client sends user name and FTP server at the USER command (e.g. USER anonymous@ftp.cuteftp.com), then the proxy connects the FTP server and sends the user name to the FTP server and dialog continues between the client and the server.

As you can see, the client sends authentication information first to the proxy which keeps it tell, it receives the FTP server name at the USER command (e.g. USER anonymous@ftp.cuteftp.com), then the proxy connects the FTP server and resends the login information to the FTP server.

As you can see, the client sends authentication information first to the proxy which keeps it tell, it receives the FTP server name at the open command (e.g. open ftp.cuteftp.com), then the proxy connects the FTP server and resends the login information to the FTP server.

As you can see, the client sends authentication information first to the proxy which keeps it tell, it receives the FTP server name at the open command (e.g. open ftp.cuteftp.com) or the USER command (e.g. USER anonymous@ftp.cuteftp.com), then the proxy connects the FTP server and resends the login information to the FTP server.

You can check each case with your FTP client alone, and may be your FTP client has different settings, and you can have a look to the code that handles all of these cases:

PASV and PORT commands handling

Any proxy server should have at least one external address (WAN address) and one internal address (LAN address) as in figure 2. If the client is connected through Proxy Server, then it has a LAN address (internal address), that means it can't connect directly to the internet. If the FTP client sends a PORT command, it will specify its LAN address or another LAN address to receive server connection, but the server can't by-path the proxy server and access the LAN addresses, the same problem with the PASV case as the LAN client needs to connect to external address at the server side to open the data channel, but it can't by-path the proxy server too. Here is the proxy server role of replacing these addresses like the NAT way, which I will describe in the two cases:

In the PORT command case:

The client sends PORT command with the LAN address and a port.

The proxy server detects the PORT command and changes the LAN address by its WAN address and directs the command to the FTP server.

The proxy server creates a listen socket at the received port and creates two threads:

one to receive from the FTP server and send to the FTP client.

and the second to receive from the FTP client and send to the FTP server.

I didn't describe the attached code with this article as you don't have to reuse it as I just wanted to describe the idea only, if any one needs more details he can contact me though mail, or send the part of code that needs description.

If you want to try this demo you should adjust your FTP client to use proxy server, and adjust proxy address and port (21) and don't forget to check the checkbox of "PASV mode".

Don't try to test this demo with FTP client with PORT command in the same machine, as the FTP client will create a listen socket at the command address (address sent with the command), and the proxy will replace the command address with its machine address which is the same address, and fails to listen to the same port. So, you can check the PASV command only.

Sir,After the proxy server connection and reply with "220 FTP Virtual Server" the client sends "USER" only. Then the client send "site ftp.cuteftp.com" (for example), the Proxy server connects to "ftp.cuteftp.com" then asks the client to send its user name and password:

I have seen your article on the code project, which is practical and informative. I really like it.

Can you guide me for my problem?

I have an client server application, it works fine over the internet when both are not part of the network by using the dialup connection. But, I want the application to be run from the machine which is in LAN means behind proxy. I have seen my articles like port forwarding, tunneling etc. One thing more, my application creates session after connection.

Problem I am facing that server is behind proxy/ firewall, and client tries to connect it by using the Real IP of the machine having proxy server and port of the server, but server is inside the LAN.Request denied because Real IP is in command of Proxy server.

Great article. I have a problem in connecting to HTTP Server through NAT. Is there also different methods of connecting with HTTP servers like FTP through NAT. Please guide how can we connect with HTTP Server through NAT, or refer any material.

Thanks Jawad,I don't know what do u mean by connecting through NAT. Do u want to implement the code of the NAT or just connect through NAT, which is the responsibility of the NAT to translate addresses for u.Any way check this article:http://www.codeproject.com/internet/PortForward.asp[^]Thanks

It is worthwhile mentioning that apart from pure FTP proxies (where, by the way, the author did not point out to the fact that various proxies implement user connect/authentication requests differently) there are also HTTP proxies with FTP support. However, different browsers use the notion of an FTP proxy in different ways. IE, for one, uses ftp:// like requests, while Netscape assumes that the proxy it is configured to use is a plain FTP proxy with normal FTP control protocol support.